GNUnet debian-0.24.3-28-g4f2a77692
 
Loading...
Searching...
No Matches
Functions | Variables
crypto_cs.c File Reference

Clause Blind Schnorr signatures using Curve25519. More...

#include "platform.h"
#include "gnunet_util_lib.h"
#include <sodium.h>
#include <gcrypt.h>
Include dependency graph for crypto_cs.c:

Go to the source code of this file.

Functions

void GNUNET_CRYPTO_cs_private_key_generate (struct GNUNET_CRYPTO_CsPrivateKey *priv)
 IMPLEMENTATION NOTICE:
 
void GNUNET_CRYPTO_cs_private_key_get_public (const struct GNUNET_CRYPTO_CsPrivateKey *priv, struct GNUNET_CRYPTO_CsPublicKey *pub)
 Extract the public key of the given private key.
 
static void map_to_scalar_subgroup (struct GNUNET_CRYPTO_Cs25519Scalar *scalar)
 Maps 32 random bytes to a scalar.
 
void GNUNET_CRYPTO_cs_r_derive (const struct GNUNET_CRYPTO_CsSessionNonce *nonce, const char *seed, const struct GNUNET_CRYPTO_CsPrivateKey *lts, struct GNUNET_CRYPTO_CsRSecret r[2])
 Derive a new secret r pair r0 and r1.
 
void GNUNET_CRYPTO_cs_r_get_public (const struct GNUNET_CRYPTO_CsRSecret *r_priv, struct GNUNET_CRYPTO_CsRPublic *r_pub)
 Extract the public R of the given secret r.
 
void GNUNET_CRYPTO_cs_blinding_secrets_derive (const struct GNUNET_CRYPTO_CsBlindingNonce *blind_seed, struct GNUNET_CRYPTO_CsBlindingSecret bs[2])
 Derives new random blinding factors.
 
static void cs_full_domain_hash (const struct GNUNET_CRYPTO_CsRPublic *r_dash, const void *msg, size_t msg_len, const struct GNUNET_CRYPTO_CsPublicKey *pub, struct GNUNET_CRYPTO_CsC *c)
 Computes a Hash of (R', m) mapped to a Curve25519 scalar.
 
static void calc_r_dash (const struct GNUNET_CRYPTO_CsBlindingSecret *bs, const struct GNUNET_CRYPTO_CsRPublic *r_pub, const struct GNUNET_CRYPTO_CsPublicKey *pub, struct GNUNET_CRYPTO_CsRPublic *blinded_r_pub)
 calculate R'
 
void GNUNET_CRYPTO_cs_calc_blinded_c (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2], const struct GNUNET_CRYPTO_CsRPublic r_pub[2], const struct GNUNET_CRYPTO_CsPublicKey *pub, const void *msg, size_t msg_len, struct GNUNET_CRYPTO_CsC blinded_c[2], struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind)
 Calculate two blinded c's.
 
void GNUNET_CRYPTO_cs_sign_derive (const struct GNUNET_CRYPTO_CsPrivateKey *priv, const struct GNUNET_CRYPTO_CsRSecret r[2], const struct GNUNET_CRYPTO_CsBlindedMessage *bm, struct GNUNET_CRYPTO_CsBlindSignature *cs_blind_sig)
 Sign a blinded c.
 
void GNUNET_CRYPTO_cs_unblind (const struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar, const struct GNUNET_CRYPTO_CsBlindingSecret *bs, struct GNUNET_CRYPTO_CsS *signature_scalar)
 Unblind a blind-signed signature using a c that was blinded.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_cs_verify (const struct GNUNET_CRYPTO_CsSignature *sig, const struct GNUNET_CRYPTO_CsPublicKey *pub, const void *msg, size_t msg_len)
 Verify whether the given message corresponds to the given signature and the signature is valid with respect to the given public key.
 

Variables

static const unsigned char L_BIG_ENDIAN [32]
 

Detailed Description

Clause Blind Schnorr signatures using Curve25519.

Author
Lucien Heuzeveldt lucie.nosp@m.ncla.nosp@m.ude.h.nosp@m.euze.nosp@m.veldt.nosp@m.@stu.nosp@m.dents.nosp@m..bfh.nosp@m..ch
Gian Demarmels gian@.nosp@m.dema.nosp@m.rmels.nosp@m..org

Definition in file crypto_cs.c.

Function Documentation

◆ map_to_scalar_subgroup()

static void map_to_scalar_subgroup ( struct GNUNET_CRYPTO_Cs25519Scalar scalar)
static

Maps 32 random bytes to a scalar.

This is necessary because libsodium expects scalar to be in the prime order subgroup.

Parameters
[in,out]scalarcontaining 32 byte char array, is modified to be in prime order subgroup

Definition at line 69 of file crypto_cs.c.

70{
71 /* perform clamping as described in RFC7748 */
72 scalar->d[0] &= 248;
73 scalar->d[31] &= 127;
74 scalar->d[31] |= 64;
75}
GNUNET_CRYPTO_Cs25519Scalar::d
unsigned char d[crypto_core_ed25519_SCALARBYTES]
32 byte scalar
Definition gnunet_crypto_lib.h:589

References GNUNET_CRYPTO_Cs25519Scalar::d.

Referenced by GNUNET_CRYPTO_cs_blinding_secrets_derive(), and GNUNET_CRYPTO_cs_r_derive().

Here is the caller graph for this function:

◆ cs_full_domain_hash()

static void cs_full_domain_hash ( const struct GNUNET_CRYPTO_CsRPublic r_dash,
const void *  msg,
size_t  msg_len,
const struct GNUNET_CRYPTO_CsPublicKey pub,
struct GNUNET_CRYPTO_CsC c 
)
static

Computes a Hash of (R', m) mapped to a Curve25519 scalar.

Parameters
hashinitial hash of the message to be signed
pubdenomination public key (used as salt)
[out]cC containing scalar

Definition at line 151 of file crypto_cs.c.

156{
157 // SHA-512 hash of R' and message
158 struct GNUNET_HashCode prehash;
159 gcry_mpi_t l_mpi;
160 gcry_mpi_t c_mpi;
161 unsigned char c_big_endian[256 / 8];
162 size_t r_m_concat_len = sizeof(struct GNUNET_CRYPTO_CsRPublic) + msg_len;
163 char r_m_concat[r_m_concat_len];
164 memcpy (r_m_concat,
165 r_dash,
166 sizeof(struct GNUNET_CRYPTO_CsRPublic));
167 memcpy (r_m_concat + sizeof(struct GNUNET_CRYPTO_CsRPublic),
168 msg,
169 msg_len);
170
171 GNUNET_CRYPTO_hash (r_m_concat,
172 r_m_concat_len,
173 &prehash);
174
175 // modulus converted to MPI representation
176 GNUNET_CRYPTO_mpi_scan_unsigned (&l_mpi,
177 L_BIG_ENDIAN,
178 sizeof(L_BIG_ENDIAN));
179
180 // calculate full domain hash
181 GNUNET_CRYPTO_kdf_mod_mpi (&c_mpi,
182 l_mpi,
183 pub,
184 sizeof(struct GNUNET_CRYPTO_CsPublicKey),
185 &prehash,
186 sizeof(struct GNUNET_HashCode),
187 "Curve25519FDH");
188 gcry_mpi_release (l_mpi);
189
190 // convert c from mpi
191 GNUNET_CRYPTO_mpi_print_unsigned (c_big_endian,
192 sizeof(c_big_endian),
193 c_mpi);
194 gcry_mpi_release (c_mpi);
195 for (size_t i = 0; i<32; i++)
196 c->scalar.d[i] = c_big_endian[31 - i];
197}
msg
struct GNUNET_MessageHeader * msg
Definition 005.c:2
L_BIG_ENDIAN
static const unsigned char L_BIG_ENDIAN[32]
Definition crypto_cs.c:136
pub
static struct GNUNET_CRYPTO_EddsaPublicKey pub
Definition gnunet-scrypt.c:47
GNUNET_CRYPTO_hash
void GNUNET_CRYPTO_hash(const void *block, size_t size, struct GNUNET_HashCode *ret)
Compute hash of a given block.
Definition crypto_hash.c:41
GNUNET_CRYPTO_mpi_scan_unsigned
void GNUNET_CRYPTO_mpi_scan_unsigned(gcry_mpi_t *result, const void *data, size_t size)
Convert data buffer into MPI value.
Definition crypto_mpi.c:132
GNUNET_CRYPTO_kdf_mod_mpi
void GNUNET_CRYPTO_kdf_mod_mpi(gcry_mpi_t *r, gcry_mpi_t n, const void *xts, size_t xts_len, const void *skm, size_t skm_len, const char *ctx)
Deterministically generate a pseudo-random number uniformly from the integers modulo a libgcrypt mpi.
Definition crypto_kdf.c:87
GNUNET_CRYPTO_mpi_print_unsigned
void GNUNET_CRYPTO_mpi_print_unsigned(void *buf, size_t size, gcry_mpi_t val)
Output the given MPI value to the given buffer in network byte order.
Definition crypto_mpi.c:79
GNUNET_CRYPTO_CsC::scalar
struct GNUNET_CRYPTO_Cs25519Scalar scalar
Definition gnunet_crypto_lib.h:657
GNUNET_CRYPTO_CsPublicKey
The public information of an Schnorr key pair.
Definition gnunet_crypto_lib.h:619
GNUNET_CRYPTO_CsRPublic
the public R (derived from r) used in c
Definition gnunet_crypto_lib.h:647
GNUNET_HashCode
A 512-bit hashcode.
Definition gnunet_common.h:284

References GNUNET_CRYPTO_Cs25519Scalar::d, GNUNET_CRYPTO_hash(), GNUNET_CRYPTO_kdf_mod_mpi(), GNUNET_CRYPTO_mpi_print_unsigned(), GNUNET_CRYPTO_mpi_scan_unsigned(), L_BIG_ENDIAN, msg, pub, and GNUNET_CRYPTO_CsC::scalar.

Referenced by GNUNET_CRYPTO_cs_calc_blinded_c(), and GNUNET_CRYPTO_cs_verify().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ calc_r_dash()

static void calc_r_dash ( const struct GNUNET_CRYPTO_CsBlindingSecret bs,
const struct GNUNET_CRYPTO_CsRPublic r_pub,
const struct GNUNET_CRYPTO_CsPublicKey pub,
struct GNUNET_CRYPTO_CsRPublic blinded_r_pub 
)
static

calculate R'

Parameters
bsblinding secret
r_pubR
pubpublic key
[out]blinded_r_pubR'

Definition at line 209 of file crypto_cs.c.

213{
214 // R'i = Ri + alpha i*G + beta i*pub
215 struct GNUNET_CRYPTO_Cs25519Point alpha_mul_base;
216 struct GNUNET_CRYPTO_Cs25519Point beta_mul_pub;
217 struct GNUNET_CRYPTO_Cs25519Point alpha_mul_base_plus_beta_mul_pub;
218 GNUNET_assert (0 ==
219 crypto_scalarmult_ed25519_base_noclamp (
220 alpha_mul_base.y,
221 bs->alpha.d));
222 GNUNET_assert (0 ==
223 crypto_scalarmult_ed25519_noclamp (
224 beta_mul_pub.y,
225 bs->beta.d,
226 pub->point.y));
227 GNUNET_assert (0 == crypto_core_ed25519_add (
228 alpha_mul_base_plus_beta_mul_pub.y,
229 alpha_mul_base.y,
230 beta_mul_pub.y));
231 GNUNET_assert (0 ==
232 crypto_core_ed25519_add (
233 blinded_r_pub->point.y,
234 r_pub->point.y,
235 alpha_mul_base_plus_beta_mul_pub.y));
236}
GNUNET_assert
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Definition gnunet_common.h:957
GNUNET_CRYPTO_Cs25519Point
Curve25519 point.
Definition gnunet_crypto_lib.h:597
GNUNET_CRYPTO_Cs25519Point::y
unsigned char y[crypto_core_ed25519_BYTES]
This is a point on the Curve25519.
Definition gnunet_crypto_lib.h:602
GNUNET_CRYPTO_CsBlindingSecret::alpha
struct GNUNET_CRYPTO_Cs25519Scalar alpha
Definition gnunet_crypto_lib.h:629
GNUNET_CRYPTO_CsBlindingSecret::beta
struct GNUNET_CRYPTO_Cs25519Scalar beta
Definition gnunet_crypto_lib.h:630
GNUNET_CRYPTO_CsRPublic::point
struct GNUNET_CRYPTO_Cs25519Point point
Definition gnunet_crypto_lib.h:648

References GNUNET_CRYPTO_CsBlindingSecret::alpha, GNUNET_CRYPTO_CsBlindingSecret::beta, GNUNET_CRYPTO_Cs25519Scalar::d, GNUNET_assert, GNUNET_CRYPTO_CsRPublic::point, pub, and GNUNET_CRYPTO_Cs25519Point::y.

Referenced by GNUNET_CRYPTO_cs_calc_blinded_c().

Here is the caller graph for this function:

Variable Documentation

◆ L_BIG_ENDIAN

const unsigned char L_BIG_ENDIAN[32]
static
Initial value:
= {
0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0xde, 0xf9, 0xde, 0xa2, 0xf7,
0x9c, 0xd6, 0x58, 0x12, 0x63, 0x1a, 0x5c, 0xf5, 0xd3, 0xed
}

Definition at line 136 of file crypto_cs.c.

136 {
137 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
138 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0xde, 0xf9, 0xde, 0xa2, 0xf7,
139 0x9c, 0xd6, 0x58, 0x12, 0x63, 0x1a, 0x5c, 0xf5, 0xd3, 0xed
140};

Referenced by cs_full_domain_hash().